Full Disclosure mailing list archives

Re: Symlink attack techniques

From: Joachim Schipper <j.schipper () math uu nl>
Date: Thu, 15 Dec 2005 18:27:09 +0100

On Thu, Dec 15, 2005 at 01:09:49PM +0000, Werner Schalk wrote:

Hi,

thanks for all the replies, I really appreciate this.

basically the cronjob is something like:

15 4  * * 6  root  /usr/bin/find /home/userA -type f -print > /tmp/report.txt

Consequently as userB I have no way of influencing what information is printed 
by the find command to /tmp/report.txt but I can surely 
control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
access?


This is not generally possible. It's likely to viewed, though, and you
can attack the viewing application (bad email clients, old vim versions,
and most browsers apply).

Of course, symlinking it to /etc/passwd is fun but ultimately pretty
useless.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
  - Re: Symlink attack techniques Werner Schalk (Dec 15)
    - Re: Symlink attack techniques Joachim Schipper (Dec 15)
    - Re: Symlink attack techniques James Longstreet (Dec 15)
    - Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
    - Re: Symlink attack techniques Tim (Dec 15)